AT&T sends out iPad 3G email leak acknowledgment

Following the web attack that enabled black hat hackers to obtain a list of private email addresses of its iPad 3G subscribers, AT&T has mailed out a vaguely apologetic acknowledgment of the event explaining what happened.

The event resulted in an FBI investigation of the attack, which exploited a feature on AT&T's website that auto-populated a user's email address on record when their iPad 3G SIM card serial number was entered into the page.

The attack used scripts to repeatedly poll the site for email addresses based on plausible serial numbers, resulting in a long list of emails tied to specific iPad SIM cards. although no other information was gained.

AT&T has since disabled the feature, so customers logging into the site will have to both enter their SIM card serial number and their email address.

Name a company who has done better or who would do better in a similar situation. The issue was dealt with the same day it became known. Not bad for a company with over 1000,000 employees. How fast does Apple, Microsoft, and the rest deal with this sort of thing. Sometimes it's months before Apple patches a security issue. And then there's Adobe and it's Flash security issues.

I'm disgusted about the failure of AT&T to protect my data. Email addresses today, what else tomorrow? What a bunch of hacks. If the US took personal data security as serious of europe does, perhaps this would happen less often because it would hurt their bottom line. Personal Data should be protected by LAW here - not with a marketing promise. Just other example of how we give the keys to corporations.

Name a company who has done better or who would do better in a similar situation. The issue was dealt with the same day it became known. Not bad for a company with over 1000,000 employees. How fast does Apple, Microsoft, and the rest deal with this sort of thing. Sometimes it's months before Apple patches a security issue. And then there's Adobe and it's Flash security issues.

I'm disgusted about the failure of AT&T to protect my data. Email addresses today, what else tomorrow? What a bunch of hacks. If the US took personal data security as serious of europe does, perhaps this would happen less often because it would hurt their bottom line. Personal Data should be protected by LAW here - not with a marketing promise. Just other example of how we give the keys to corporations.

-1

Quote:

Originally Posted by erpx

I didnt receive an e-mail. Does it mean my info was not in the compromised list? I also purchased the 3G/WiFi iPad on Day 1 (April 30th)

Yes

Quote:

Originally Posted by jragosta

I didn't get that letter - and I signed up for 3G for my iPad on day 1.

Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the Unlimited data plan not being available to you after June 7th unless you paid for and maintained that plan each consecutive month. I am writing to let you know that we had a brainfart and now ealize you may have purchased the iPad 3G specifically for previously advertised plan options. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to opt for your AT&T Unlimited 3G service data plan on your iPad indefinitely and with confidence.

I am fine with this, it does place the blame outside of AT&T a bit much, so not as much of an apology as a 'It was not our fault, it was a couple of very crafty hackers', but I do understand it happens.

What I find funny is the earlier story where the head of AT&T threatened someone with legal action for emailing him. I doubt that we would be able to sue him if someone used our email address after this leak.

Hmm, "web attack" and "black hat" hackers to portray security researchers and their demonstration script? Black hat involve illegal activities or vandalism as a motivation, there was none. This is really becoming more and more weird, biased and in fine irrelevant over here.

Hmm, "web attack" and "black hat" hackers to portray security researchers and their demonstration script? Black hat involve illegal activities or vandalism as a motivation, there was none. This is really becoming more and more weird, biased and in fine irrelevant over here.

Their motivation was self aggrandizement, and they handed the data over to a sleazy web tabloid for publication. I think black hat is a fitting description in this case, as is web attack. I might have used an even stronger adjective to describe them. The only things that belongs in quotes are "security researchers" and "demonstration script".

I haven't heard anything so I guess I'm not one of the affected users. However, having done web programming for many years now, I am inclined to ask why this gaping security hole was left open. Does nobody there do penetration testing? I always remember one rule: never trust user input. I guess at the end of the day it's the dollars that matter, and I'm voting for AT&T with my wallet. That said, if there was another option I'd be seriously exploring it.

I'm disgusted about the failure of AT&T to protect my data. Email addresses today, what else tomorrow? What a bunch of hacks. If the US took personal data security as serious of europe does, perhaps this would happen less often because it would hurt their bottom line. Personal Data should be protected by LAW here - not with a marketing promise. Just other example of how we give the keys to corporations.

Are you kidding me?! The US government (because they are the ones supposedly responsible for making law) taking anything seriously to protect one's self-privacy?!

This is not a swipe at Obama by me for a change, so read on with an open mind.

I'll give you an example of how valued privacy is in America when it comes to protection by "LAW"!

There was a time in the U.S., pre 2003, when your telephone would ring off the hook, incessantly, from telemarketers selling their wares: magazine subscriptions, various products, various services, etc. They'd always call, it seems, right as you'd sit down for dinner, supper, or whatever you call your evening meal. You'd answer because "Caller ID" was not a prevalent feature by the phone company.

Congress, our beloved political A-holes at the time, passed "The Do-Not Call List" where people HAD to join the list to be effective and not have businesses call and if telemarketers called those on the list and the person filed complaints, I believe an $11,000 dollar fine would be issued to the company.

Here is the kicker, folks. According to the politicians, 'Do-Not Call' doesn't necessarily mean do not call for certain groups. Namely "charities" and you guessed it "politicians". So much for a noble idea and promise. Thanks to the exemptions, the phone rings incessantly off the hook near election day and any "hack" can pose as some charitable organization to try and rife the unwittingly with a very convincing script! Thanks Congress.

So back to the posters comments: "Personal Data should be protected by LAW here - not with a marketing promise."

Again, I rant: "Protected by LAW? Are you kidding me?!"

Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash. Today we have no Jobs, no Hope and no Cash.

I am fine with this, it does place the blame outside of AT&T a bit much, so not as much of an apology as a 'It was not our fault, it was a couple of very crafty hackers', but I do understand it happens.

Well nowadays, it does seem to be the "popular thing to do" with regards to taking responsibility without taking responsibility and knowing where the true blame falls.

Obama and his fellow children in power have crafted the "Not Me!", "what we inherited" and "because of the Bush Administration" lines to an Art form, that makes me wonder when this kid will grow up and take responsibility for anything?! A poster found AT&T's actions 'disgusting' but to me, this incessant whining by those in Washington is truly quite disgusting!

Hey Obama, is it George Bush's fault for you spending more time on the 'Golf Course' VERSUS the Gulf Coast?!

Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash. Today we have no Jobs, no Hope and no Cash.

What about if I am predisposed to enjoy laughing at their misfortune? Seriously, I love it. Why? Because overall as a wireless company, AT&T sucks. Their coverage, reliability, pricing schemes and customer service...they're all terrible. The only reason I have it is because I have an iPhone.

Quote:

Originally Posted by Rod76

I got my worthless letter. An apology really does nothing, there should be fines involved or I should get some discount on my service.

As I just demonstrated, I'm no fan of AT&T. That said, what....are you kidding? They did what they could do to fix the issue. You asking for fines is analogous to someone having their home robbed, where they lose a family members jewelry. You're then saying the victim(s) of the theft should be fined for allowing it to happen.

I can only please one person per day. Today is not your day. Tomorrow doesn't look good either.

so your email address found its way onto another spamers list. In todays world that is a daily fact of life, learn how to deal with it. This hacker had to do a lot of work to assemble this list, it was not a just matter of copying a file. It also smell like there was some inside info that triggered this exploit.

I'm disgusted about the failure of AT&T to protect my data. Email addresses today, what else tomorrow? What a bunch of hacks. If the US took personal data security as serious of europe does, perhaps this would happen less often because it would hurt their bottom line. Personal Data should be protected by LAW here - not with a marketing promise. Just other example of how we give the keys to corporations.

your email is available from all kinds of sources on the internet, and Google has all kinds of additional data on you that China is just itching to get their hands on!

Seriously, if you aren't using dummy emails for this stuff, (or something) you deserve to get spammed by the likes of Goatse (lamea$$ group of wannabes).

Hmm, "web attack" and "black hat" hackers to portray security researchers and their demonstration script? Black hat involve illegal activities or vandalism as a motivation, there was none. This is really becoming more and more weird, biased and in fine irrelevant over here.

...they announced that they had released the script to unspecified others" outside of their organization - thus throwing the script into the wild. That constitutes asshattery more than blackhattery, but for them to go "we ain't done nothin' wrong", is a complete and utter fail. The key to the FBI investigation will be what their motivation was. If it was a deliberate attack on ATT to try and compromise specifically the iPad release and iPad users, that would be a potential civil litigation by Apple and ATT against Goatse. If they were just poking a discovered vulnerability and were simply careless in the script release they will probably get little more than stern looks.

I think it's interesting they went specifically after iPad owners, and not other handheld or wireless devices that were non-contract. Sound pretty much like a media grab.

Well nowadays, it does seem to be the "popular thing to do" with regards to taking responsibility without taking responsibility and knowing where the true blame falls.

Obama and his fellow children in power have crafted the "Not Me!", "what we inherited" and "because of the Bush Administration" lines to an Art form, that makes me wonder when this kid will grow up and take responsibility for anything?! A poster found AT&T's actions 'disgusting' but to me, this incessant whining by those in Washington is truly quite disgusting!

Hey Obama, is it George Bush's fault for you spending more time on the 'Golf Course' VERSUS the Gulf Coast?!

They take privacy and the law seriously, unless it's a U.S. intelligence agency asking them to break the law because of "national security", in which case they'll go along and tell anyone who objects that they don't have to answer to anybody and should be immune from prosecution.

Yeah. I tend to believe the tongue on the shoes more than the mouth. I trust in what they do more than just a letter they pen. So on this one, AT&T, show me you care by taking an action.

What additional action(s) do you have in mind? And what if this issue came about in part because Apple required that the SIM S/N automatically populate the registered email addy? What would be required from Apple?

ChrisPaget writes:
"I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix."